Lessons  Learned  in  Cyberspace  Security 

Margaret  M.  McMahon,  Ph.D.  and  Lori  DeLooze,  Ph.D. 

ANRC,  LLC 

5309  Wurzbach  Rd. 

Suite  101 

San  Antonio,  Texas  78238 
{mac,lori}@anrc-services.com 


Paper:  Number  097 


0 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

JUN  2014 

2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2014  to  00-00-2014 

4.  TITLE  AND  SUBTITLE 

Lessons  Learned  in  Cyberspace  Security 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

ANRC,  LLC,5309  Wurzbach  Rd.  Suite  101, San  Antonio, TX, 78238 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

Presented  at  the  18th  International  Command  &  Control  Research  &  Technology  Symposium  (ICCRTS) 
held  16-19  June,  2014  in  Alexandria,  VA.  U.S.  Government  or  Federal  Rights  License 


14.  ABSTRACT 

The  lessons  learned  in  cyberspace  operations  continue  to  shape  cybersecurity  education.  When  a  computer 
is  connected  to  any  network,  it  is  immediately  vulnerable  to  both  direct  and  automated  attacks.  The 
number  of  threats  in  cyberspace  are  beyond  those  experienced  in  the  physical  world.  After  analyzing  the 
history  and  shape  of  evolving  cyberthreats,  several  key  concepts  emerge.  In  keeping  with  the  theme  of 
Lessons  Learned  from  Research  and  Operations,  the  authors  discuss  their  lessons  learned  about 
cybersecurity.  Their  experience  was  gained  during  their  years  in  operational  communities,  doing  test  and 
evaluation,  and  later,  as  educators  of  military  and  DoD  students.  The  intent  of  this  paper  is  to  bridge  the 
language  and  topics  of  malware  used  in  academia  to  the  operational  community,  and  to  provide  a  lingua 
franca  to  support  a  dialog  between  the  communities.  We  enumerate  the  top  ten  concepts  that  operators, 
developers,  maintainers,  and  managers  need  to  address  to  stay  safe  in  cyberspace.  Each  concept  is  briefly 
discussed;  its  impacts  are  explained;  the  main  takeaways;  and  the  relevance  to  Command  and  Control 
(C2).  The  paper  also  discusses  how  individuals  can  continue  to  increase  their  awareness  of  cybersecurity 
threats  and  vulnerabilities. 


15.  SUBJECT  TERMS 


16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 

ABSTRACT 

18.  NUMBER 

OF  PAGES 

19a.  NAME  OF 

RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Same  as 
Report  (SAR) 

53 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Lessons  Learned  in  Cyberspace  Security 


Margaret  M.  McMahon,  Ph.D.  and  Lori  DeLooze,  Ph.D. 

Abstract 

The  lessons  learned  in  cyberspace  operations  continue  to  shape  cybersecurity  education.  When  a 
computer  is  connected  to  any  network,  it  is  immediately  vulnerable  to  both  direct  and  automated 
attacks.  The  number  of  threats  in  cyberspace  are  beyond  those  experienced  in  the  physical  world. 

After  analyzing  the  history  and  shape  of  evolving  cyberthreats,  several  key  concepts  emerge.  In 
keeping  with  the  theme  of  Lessons  Learned  from  Research  and  Operations,  the  authors  discuss 
their  lessons  learned  about  cybersecurity.  Their  experience  was  gained  during  their  years  in 
operational  communities,  doing  test  and  evaluation,  and  later,  as  educators  of  military  and  DoD 
students.  The  intent  of  this  paper  is  to  bridge  the  language  and  topics  of  malware  used  in 
academia  to  the  operational  community,  and  to  provide  a  lingua  franca  to  support  a  dialog 
between  the  communities. 

We  enumerate  the  top  ten  concepts  that  operators,  developers,  maintainers,  and  managers  need  to 
address  to  stay  safe  in  cyberspace.  Each  concept  is  briefly  discussed;  its  impacts  are  explained; 
the  main  takeaways;  and  the  relevance  to  Command  and  Control  (C2).  The  paper  also  discusses 
how  individuals  can  continue  to  increase  their  awareness  of  cybersecurity  threats  and 
vulnerabilities. 
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Introduction 


Security  professionals  must  learn  to  communicate  using  the  vocabulary  of  the  security  domain. 
Knowing  the  common  language  used  when  discussing  malicious  software  (malware)  enables  a 
user  to  communicate  problems  and  concerns  with  other  specialists  in  the  field.  This  language 
includes  the  types  of  malware  and  the  lessons  learned  in  studying  each. 

Malware  can  be  categorized  into  one  of  several  different  categories  according  to  specific  security 
features,  or  it  can  be  characterized  by  features  that  fit  into  one  or  more  categories  concurrently. 
This  paper  focuses  on  malicious  software  and  not  the  misuse  of  protocols,  such  as  when  normal 
network  conversations  are  used  maliciously  in  distributed  denial-of- service  (DDoS)  attacks.  In 
addition,  we  will  concentrate  primarily  on  the  Windows  Operating  System  (OS).  Because  it  is 
the  most  widely-used  consumer  OS,  it  is  a  major  target  for  malware  programmers.  Windows 
users  need  to  be  aware  of  the  wide  range  of  threats  to  their  computers.  Even  older  threats  can  be 
destructive  to  a  computer  that  is  does  not  have  up-to-date  antivirus  software  or  the  network  it 
connects  to  is  not  protected  by  a  well-configured  firewall. 

Background 

The  authors  have  had  the  privilege  of  teaching  cybersecurity  to  those  on  the  front  lines  of 
cyberwar,  and  to  those  who  support  them.  Our  approach  to  educating  cybersecurity  students 
contains  a  minimum  of  lecture  with  a  large  percentage  of  hands-on  exercises.  During  course 
development,  we  strive  for  less  than  forty  percent  the  class  time  dedicated  lecture  with  at  least 
sixty  percent  of  the  time  available  for  related  labs  to  reinforce  the  important  concepts.  In  a 
malicious  software  (malware)  class,  students  follow  a  standard  malware  analysis  process  [14], 
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build  an  analysis  workstation,  and  learn  new  tools  as  they  investigate  numerous  malware 
samples.  Students  use  a  series  of  static  and  dynamic  analysis  tools  and  techniques  to  determine 
the  mechanisms  used  by  the  malware  to  cause  changes  in  the  files,  registry,  open  ports,  and 
processes  (FROP)  on  the  victim  machine.  Students  then  interact  with  the  malware  and 
investigate  the  differences  between  a  clean  system  and  an  infected  one. 

The  lessons  we  have  learned  about  cyberspace  are  enumerated  in  the  top  ten  concepts  that 
operators,  developers,  maintainers,  and  managers  need  to  address  to  stay  safe  in  cyberspace. 


Related  Work 

Carpenter  [4]  brings  to  light  the  evolution  of  Command  and  Control  (C2)  being  coupled  to 
emerging  technology.  The  evolution  of  C2  in  malware  also  follows  technology.  Dittrich  and 
Deitrich  [6]  define  malware’s  C2  as  being  single-threaded,  distributed,  and  peer-to-peer. 
Malware  has  evolved  from  a  single  thread  that  reaches  back  to  a  source  to  download  a  malicious 
executable,  to  botnets  that  make  a  computer  function  as  a  node  in  a  peer-to-peer  network. 

Top  Ten  Concepts 

The  top  ten  concepts  will  begin  with  a  simple  virus  and  build  in  complexity  to  advanced 
persistent  threats,  with  each  concept  building  on  the  previous  ones,  as  illustrated  in  Figure  1. 

Each  of  the  ten  concepts  will  include:  a  brief  definition;  the  impact  to  a  computer  or 
organization,  including  typical  behavior;  the  takeaways  that  each  person  must  understand  about 
the  concept;  and  how  it  can  potentially  affect  C2.  While  we  focus  on  the  examples  and 
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mechanisms  of  malware  on  computers  running  the  Windows  operating  system,  the  same 
principles  will  apply  to  other  operating  systems.  For  malware  to  run  on  a  computer,  its  code  must 
be  built  to  execute  on  that  computer’s  specific  processor,  using  that  computer’s  architecture.  For 
example,  a  virus  written  for  a  computer  running  Windows  will  not  execute  on  a  UNIX  computer. 


Virus 

Description.  A  virus  is  a  piece  of  code  that  lives  as  part  of  a  program.  Like  a  virus  in  the  real 
world,  it  needs  a  living  program  to  propagate,  and  cannot  move  to  another  computer  without 
being  placed  there.  Propagation  can  also  occur  with  automated  mechanisms  that  are  enabled  on 
the  infected  machine,  such  as  a  macro. 
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Melissa  is  an  example  of  a  Macro  vims.  When  it  runs,  it  checks  the  computer’s  registry  to  see  if 
the  computer  has  been  previously  infected.  On  uninfected  machines,  it  mails  itself  to  top  50 
contacts  in  the  mail  program.  When  the  minute  after  the  hour  matches  the  day  of  the  month,  for 
example  at  1 1  minutes  past  each  hour  on  the  1 1th  of  December,  the  message  stored  in  the  virus 
payload  is  inserted  into  an  infected  document. 

Impact.  While  the  virus,  unleashed  in  March  1999,  did  not  erase  files  or  permanently  damage 
the  1.2  million  computers  it  infected  around  the  world,  prosecutors  say  it  caused  widespread 
disruption  and  cost  businesses  $80  million  [12]. 

Takeaway.  The  virus  propagated  itself  through  e-mail  attachments  because  macros  were  enabled 
by  default  on  the  infected  machines.  An  organization  needs  to  be  running  antivirus  (AV)  scans 
on  both  incoming  e-mail  and  documents,  and  disable  the  default  use  of  productivity  tools,  such 
as  macros. 

Relevance  to  C2.  Malware  that  disrupts  C2,  like  Stuxnet,  can  be  downloaded  as  a  virus 
attachment  to  e-mail. 

Worm 

Definition.  A  worm  is  a  program  that  replicates  itself,  and  propagates  on  its  own.  The  first  worm 
unleashed  on  the  Internet  was  the  Morris  Worm,  written  by  student  at  Cornell  in  1988  [15].  The 
Conficker  worm  replicated  itself  and  subverted  Windows  and  third  party  security  software, 
making  the  computer  vulnerable  to  infiltration  and  further  infection  [3]. 
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Impact.  Any  computer  on  a  network  is  vulnerable.  Since  a  worm  reproduces  itself,  a  system’s 
performance  can  be  seriously  affected  by  the  number  of  processes  that  begin  running.  The 
Morris  worm  prompted  DARPA  to  fund  the  establishment  of  the  Computer  Emergency 
Response  Team  (CERT)  at  Carnegie  Mellon  University  to  give  experts  a  central  point  for 
coordinating  responses  to  network  emergencies. 

Takeaway.  Any  shared  drive  or  trusted  connection  allows  a  worm  to  propagate.  The  way  to 
contain  a  worm  is  to  control  propagation  and  end  the  worm  programs  running  on  the  computer. 
By  hardening  password  protection  of  shared  drives,  propagation  can  be  prevented. 

Relevance  to  C2.  Worms  propagate  quickly,  consuming  resources,  such  as  bandwidth  in  a 
communications  channel  or  processor  cycles  in  a  key  computer  in  a  network.  For  example, 
infecting  a  computer  in  an  air  operations  center  could  disrupt  the  C2  infrastructure  by 
propagating  throughout  a  sector  and  consuming  resources,  ending  real-time  situational 
awareness. 

Phishing 

Definition.  A  user  is  lured  into  opening  an  e-mail  with  an  enticing  subject,  or  a  demand  that 
urges  immediate  action  [5]  and  clicks  on  a  link  in  the  e-mail,  initiating  the  download  of  a  piece 
of  software.  There  may  be  a  second  phase,  where  downloaded  software  contacts  a  computer  on 
the  Internet  to  request  a  larger  piece  of  software.  If  the  software  uses  an  address  expressed  in  the 
characters  of  a  uniform  resource  locator  (URL),  its  request  can  be  made  to  a  different  computer 
at  different  times.  A  phishing  e-mail  can  be  sent  to  a  random  group  of  e-mail  addresses,  or  it  may 
be  targeted.  Spear  phishing  is  when  the  sender  has  identified  a  specific  group  with  which  the  e- 
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mail  address  owned  is  associated,  and  effort  is  invested  to  tailor  the  e-mail.  In  whale  fishing,  a 
larger  amount  of  effort  is  expended  to  customize  an  e-mail  to  be  attractive  to  a  CEO,  or  other 
senior  corporate  officer. 

Impact.  It  is  easier  to  put  software  on  a  computer  inside  a  network  by  phishing  than  breaking  into 
a  computer.  Malware  can  also  be  downloaded  by  loading  a  page  with  an  embedded  script  or 
clicking  on  a  link  in  social  media. 

Takeaway.  Users  have  to  be  educated  how  to  recognize  fraudulent  e-mails,  not  to  click  on  links 
in  e-mails,  and  to  disable  automatic  scripts.  Simply  put,  do  not  open  e-mails  from  people  you  do 
not  know.  Unfortunately,  a  sender’s  addresses  can  be  spoofed.  All  incoming  traffic  needs  to  be 
scanned  by  AV  software  for  matching  known  signatures  of  malware. 

Relevance  to  C2.  After  researching  an  organization  through  social  engineering  and  publically 
available  information,  whaling  and  spear  phishing  e-mails  can  be  written  that  appeal  to  key 
personnel  in  a  C2  organization. 

Trojan 

Description.  A  Trojan  is  a  combination  of  software;  something  undesirable  is  packaged  together 
with  something  desirable.  A  classic  example  was  Elf  Bowling  attachment,  which  ran  rampant 
through  the  authors’  former  school.  It  combined  a  fun  program  featuring  elves  as  bowling  pins, 
however  it  was  packaged  with  SubSeven  (Sub7)  malware  that  allowed  remote  access  to  the 
infected  machine.  IExpress,  which  is  delivered  in  the  Windows  OS,  is  one  of  the  legitimate  tools 
for  packaging  multiple  software  programs  together;  a  self-contained  executable  can  have  an 
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installer  program  packaged  with  an  application  executable.  It  takes  very  little  effort  to  take  an 
existing  malware  program  and  wrap  it  with  a  desirable  application  to  make  a  Trojan. 

Impact.  Users  can  install  these  programs  purposely,  without  any  hint  of  the  installation  of  the 
malware. 

Takeaway.  Trojans  can  be  constructed  easily.  When  installing  software,  verify  that  the 
executable  has  an  Md5  hash  that  matches  a  published  one  for  the  program.  If  there  the  good 
executable  is  packaged  with  something  else,  the  hash  values  will  not  match.  The  consequences  of 
a  Trojan  horse  may  be  the  installation  of  a  backdoor,  bot,  or  administrator  tools. 

Relevance  to  C2.  Similar  to  phishing  attacks,  a  Trojan  horse  delivery  vector  for  malicious  code 
that  can  disrupt  and  delay  C2  channels. 

Backdoor 

Description.  A  backdoor  allows  a  remote  user  to  connect  to  a  program  running  on  an  infected 
system  in  a  stealthy  manner. 

Impact.  A  component  of  a  Trojan  might  be  a  program  that  opens  a  port  and  install  a  program  to 
allow  a  remote  user  full  access  to  the  infected  computer.  A  new  user  could  be  added  with  a 
trusted  connection.  An  Easter  egg  that  includes  special  code  added  by  a  programmer  to  allow 
special  privileges  might  be  installed. 

Takeaway.  For  secure  systems,  all  source  code  should  be  inspected  and  compiled  by  your 
organization.  Recognize  that  the  use  of  proprietary  OS  and  application  code  makes  this 
impossible.  The  use  of  open  source  software  requires  that  internal  assets  become  experts  in  the 
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source  code,  which  may  not  be  economically  feasible.  Applying  dynamic  malware  analysis 
techniques  when  running  the  code  may  yield  insights  into  the  legitimacy  of  its  behavior,  but  a 
program  may  execute  differently  each  time  it  runs. 

Relevance  to  C2.  The  installation  of  a  backdoor  allows  an  intruder  to  access,  modify,  and  delete 
critical  configuration  information.  In  this  manner,  the  C2  nodes  can  either  cease  to  function 
properly,  or  worse  function  with  detrimental  effects. 

Bots 

Description.  A  bot  is  a  program  running  on  an  infected  machine  that  becomes  one  of  a  group  of 
zombie  computers  that  respond  to  the  commands  of  a  herder.  The  herder  controls  the  bots 
through  a  C2  structure  of  a  botnet.  By  commandeering  the  resources  of  many  computers,  the 
herder  can  solve  a  distributed  processing  problem  such  as  password  cracking,  send  spam,  or 
launch  a  Distributed  Denial  of  Service  (DDoS)  attack.  A  herder  either  uses  all  the  computers 
personally,  or  rents  them  out.  One  study  in  2013  estimated  that  61.5%  of  the  traffic  on  the 
Internet  was  from  bots  [8]. 

Impact.  An  infected  computer  in  your  network  will  begin  to  beacon  to  its  controller,  sending 
period  heartbeat  messages.  It  may  download  file(s)  to  execute,  and  coordinate  with  other  bots  to 
perform  a  task  or  mount  an  attack.  If  it  becomes  part  of  an  attack,  it  may  generate  a  lot  of  traffic 
to  one  address. 

Takeaway.  The  generic  sign  of  an  infected  machine  is  the  network  traffic  it  generates,  however  it 
may  exhibit  different  behavior  over  time  based  on  who  is  leasing  it. 
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Relevance  to  C2.  A  bot  can  be  a  located  in  a  C2  node,  using  that  node’s  bandwidth  for  its  covert 
channel.  A  node  in  a  tactical  setting,  such  as  a  radio  with  limited  bandwidth  used  in  an 
amphibious  assault,  could  be  beaconing  as  a  bot,  or  worse,  covertly  exfiltration  critical 
information.  In  an  operational  area,  the  amount  of  bot  traffic  on  the  network  could  go  undetected, 
and  the  ability  to  reprogram  an  affected  unit  would  be  extremely  limited. 

Admin  tools 

Description.  System  administration  tools  can  be  installed  as  a  service  on  a  computer,  and  there 
are  legitimate  reasons  to  remotely  access  the  service  through  an  open  port.  However,  these  same 
tools  can  be  installed  and  used  by  attackers.  One  of  the  malware  delivery  methods  described 
earlier  can  bring  the  tool  to  your  computer,  and  allow  an  attacker  full  access  to  a  computer  in 
your  network. 

Impact.  Since  frameworks  of  tools  are  widely  available,  those  without  extensive  technical  skills 
can  use  them  against  your  computer.  After  installing  these  tools,  a  remote  user  has  complete 
access  to  an  infected  system,  including  the  addition,  deletion  or  modification  of  FROP. 

Takeaway.  Leaving  ports  open  for  legitimate  tools  is  always  risky,  because  it  is  an  open  door  for 
attackers.  When  using  these  tools,  monitor  activity  and  check  it  against  a  baseline  of  normal 
activity.  The  existence  of  an  unauthorized  admin  tool  requires  an  investigation  into  its  origin. 

Relevance  to  C2.  In  addition  to  full  control  to  add,  delete  and  modify  anything  on  a  computer, 
these  allow  remote  access  to  video  feeds.  Using  a  video  feed,  an  intruder  is  present  in  the  room 
or  on  the  computer  to  observe  actions  or  intentions.  These  tools  could  be  installed  using  a  Trojan 
horse  vector. 
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Network  Diagnostic  Tools 


Description.  A  Network  Diagnostic  Tool  (NDT)  automates  a  checklist  for  vulnerability  tests  on 
the  systems  in  your  network.  Tools  such  as  Network  Mapper  (NMAP)  assist  a  system 
administrator  by  providing  insights  into  the  configuration  of  computers  on  your  network  [16]. 
However,  when  these  tools  are  surreptitiously  installed  by  one  of  the  previous  methods  discussed 
(e.g.  clicking  on  a  link)  it  can  inventory  all  the  operating  systems  on  your  network,  and  provide 
an  attacker  with  a  map  of  your  networks  and  a  list  of  the  vulnerabilities. 

Impact.  The  immediate  impact  on  your  system  is  an  increase  in  internal  network  traffic.  The 
reports  of  the  scans  may  be  sent  outside  the  network  to  an  attacker,  or  held  for  later  retrieval. 

Takeaway.  NDTs  can  be  both  good  and  bad.  In  the  right  hands,  they  are  powerful  diagnostic 
tools;  in  the  hands  of  an  intruder  they  are  powerful  reconnaissance  tools.  An  intrusion  detection 
system  (IDS)  and  internal  sensors  need  to  be  installed  to  detect  unauthorized  scanning  activity  on 
your  network. 

Relevance  to  C2.  The  output  of  the  vulnerability  scanners  available  in  network  tools  provide  a 
blueprint  for  a  successful  attack  on  the  computers  in  a  network. 

Rootkits 

Description.  Rootkit  malware  gives  the  attacker  full  administrative  privileges,  and  can  hide  the 
existence  of  FROP  from  normal  tools.  Rootkits  can  operate  at  different  levels  of  OS  privilege, 
and  might  be  delivered  by  one  or  the  previous  methods,  or  arrive  in  the  firmware  of  a  new 
computer.  The  ones  usually  encountered  with  malware  are  user  or  kernel  rootkits. 
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Impact.  Rootkits  interfere  with  what  the  user  tools  report  about  FROP,  allowing  malware  to 
subvert  your  computer  without  leaving  a  trace.  In  effect,  you  do  not  know  what  you  do  not  know. 
Once  a  rootkit  is  found,  it  may  be  incredibly  difficult  to  eradicate,  and  the  best  choice  may  be  to 
reload  the  OS. 

Takeaway.  There  are  times  when  you  cannot  trust  normal  tools.  Take  care  when  installing 
privileged  types  of  software  that  mn  in  privileged  mode.  For  example,  do  not  use  unsigned 
drivers  in  Windows  OS.  Regularly  scan  with  the  tools  that  bypass  the  OS  to  locate  hidden  FROP. 

Relevance  to  C2.  As  with  any  computer,  the  installation  of  a  rootkit  on  a  node  allows  any  or  all 
of  the  above  types  of  malware  to  operate  covertly.  This  feature  of  malware  is  particularly 
insidious,  because  it  has  to  be  diagnosed  indirectly  or  through  the  use  of  special  tools. 


Advanced  Persistent  Threat 

Description.  As  the  name  implies,  these  are  attack  mechanisms  that  are  created  by  skilled 
developers,  who  may  use  series  of  stages,  to  meet  a  specific  objective.  These  attacks  are  by 
forces  who  have  determined  they  will  get  something  from  their  target.  Unlike  random  attacks  of 
script  kiddies,  they  will  use  any  technique  and  invest  copious  amounts  of  time  and  resources 
until  they  obtain  their  goal  [1,9].  The  most  widely  publicized  APT  to  date  is  the  Stuxnet  virus 
that  targeted  a  specific  industrial  control  system. 
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Impact.  These  attackers  will  continue  to  use  any  and  all  techniques  at  their  disposal,  and  will  not 
stop  until  they  reach  their  objective.  APTs  often  use  zero-day  exploits  that  do  not  have 
associated  signatures  in  protective  anti-virus  software. 

Takeaway.  The  best  approach  is  using  a  defense-in-depth  strategy,  characterized  but  not  limited 
to  insuring  both  the  networks  and  the  individual  computers  are  protected,  and  keeping  every 
computers  OS  and  applications  up-to-date.  These  attacks  are  persistent  and  defense  against  them 
requires  vigilance  by  scanning  your  internal  and  external  network  with  sensors,  and  auditing 
activity  logs.  APTs  are  the  worst  type  of  cyberthreat  because  of  the  intensity  and  commitment  of 
the  attackers,  who  may  be  funded  by  governments  with  competing  interests  [9]. 

Relevance  to  C2.  An  APT  is  a  major  offensive  weapon  because  of  the  resources  that  are 
committed  to  disrupt  a  target’s  C2  systems,  and  the  target’s  critical  infrastructure  Although  a 
difficult  concept,  we  may  have  to  accept  that  dedicated  attackers  will  get  into  C2  nodes,  and 
approaches  will  need  to  reduce  their  dwell  time  in  the  system,  while  denying  them  outgoing 
communications  [2]. 

Increasing  Cyberthreat  Awareness 

There  are  several  ways  to  increase  awareness  of  the  cybersecurity  threats,  and  current 
vulnerabilities.  For  example,  vulnerability  information  can  be  found  at  National  Vulnerability 
Database  (NVD)  [11]  (Figure  2)  and  Symantec  Connect  [13]  (Figure  3).  Vulnerability  research 
can  be  found  at  Hackerstorm  [7].  Several  of  these  websites  also  have  mailing  lists  to  push  timely 
information  to  subscribers. 
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government  repository  of 
standards  based 
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National  Vulnerability  Database  Version  2.2 

NVD  is  the  U.S.  government  repository  of  standards  based  vulnerability  management  data  represented  using  the  Security  Content  Automation  Protocol  (SCAP).  This  data 
enables  automation  of  vulnerability  management,  security  measurement,  and  compliance.  NVD  includes  databases  of  security  checklists,  security  related  software  flaws, 
misconfigurations,  product  names,  and  impact  metrics. 

Federal  Desktop  Core  Configuration  settings  (FDCC) 

NVD  contains  content  (and  pointers  to  tools)  for  performing  configuration  checking  of  systems  implementing  the  FDCC  using  the  Security  Content  Automation  Protocol  (SCAP). 
FDCC  Checklists  are  available  here  (to  be  used  with  SCAP  FDCC  capable  tools). 

SCAP  FDCC  Capable  Tools  are  available  here. 


NVD  contains: 

60348  CVE  Vulnerabilities 
227  Checklists 
248  US-CERT  Alerts 
2818  US-CERT  Vuln  Notes 
10286  OVAL  Queries 
83734  CPE  Names 
Last  updated:  2/4/2014 
CVE  Publication  rate:  19.2 


|  NVD  Primary  Resources 

•  Vulnerability  Search  Engine  (CVE  software  flaws  and  CCE  misconfigurations) 

•  National  Checklist  Program  (automatable  security  configuration  guidance  in  XCCDF  and  OVAL) 

•  SCAP  (program  and  protocol  that  NVD  supports) 

•  SCAP  Compatible  Tools 

•  SCAP  Data  Feeds  (CVE,  CCE,  CPE,  CVSS,  XCCDF,  OVAL) 

•  Product  Dictionary  (CPE) 

•  Impact  Metrics  (CVSS) 

•  Common  Weakness  Enumeration  (CWE) 


NVD/ SCAP  Recent  Activity: 

•  October  3rd  -  5th,  2012:  filh  Annual  JT  S.epM.ri.ty  AtttamaBSO..Q»nte»nce 

•  October  31st  -  November  2nd,  2011:  7th  Annual  IT  Security  Automation  Conference 

•  August  29th  -  30th,  2011:  EMAP  Developer  Workshop 

•  September  27th  -  29th,  2010:  6th  Annual  IT  Security  Automation  Conference 


Figure  2.  The  National  Vulnerability  Database  Homepage. 
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2014-02-05 

http://www.securityfocus.com/bid/64897 

Mozilla  Firefox/Thunderbird/SeaMonkey  CVE-2014-1478  Multiple 
Memory  Corruption  Vulnerabilities 

2014-02-05 

http://www.securityfocus.com/bid/65324 

Mozilla  Firefox/Thunderbird/SeaMonkey  CVE-2014-1477  Multiple 
Memory  Corruption  Vulnerabilities 

2014-02-05 

http://www.securityfocus.com/bid/65317 

ImpressCMS  Arbitrary  File  Access  And  Multiple  Cross  Site  Scripting 
Vulnerabilities 

2014-02-05 

http://www.securityfocus.com/bid/65279 

Oracle  MySQL  Server  CVE-2013-5894  Remote  Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64873 


Oracle  MySQL  Server  CVE- 2014-0427  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64868 

Oracle  MySQL  Server  CVE- 2013-5881  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64885 

Oracle  MySQL  Server  CVE-2014-0386  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64904 

Oracle  MySQL  Server  CVE- 2014-0433  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64895 

Oracle  MySQL  Server  CVE-2014-0402  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64908 


Figure  3.  The  Security  Focus  Homepage. 
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There  are  several  websites  that  can  increase  awareness  of  the  state  of  cyberthreats.  One  website 
that  provides  access  to  a  threat  library  is  McAfee’s  Threat  Center  [10]  (Figure  4).  To  learn  more 
about  a  specific  virus  or  other  piece  of  malware,  enter  its  name  in  the  search  box.  The 
information  in  the  database  includes  the  malware’s  characteristics,  method  of  infection,  removal, 
and  variants.  It  also  shows  the  area  of  the  world  where  the  malware  is  currently  proliferating. 
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Breaking  Advisory 

January  14,  2014:  As  announced,  Microsoft  has  released  their  January  Security  Bulletins.  A  total  of  4  bulletins  have  been  released.  Affected  software  includes 
Microsoft  Windows,  Office,  and  Server  Software.  1  of  the  bulletins  is  rated  as  'Important'  and  carries  a  potential  impact  of  remote  code  execution.  Learn 
More  Q 


Threat  Center 


McAfee  Labs  2014 
Predictions  Report 


Download  Report 


Search  the  Threat  Library 
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O  Intrusion  Attack 

Enter  Malware  Name 

®  Malware  Name 
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o 

O  Vulnerability  Name 

•  Submit  a  Virus  or  Malware  Sample 

•  Dispute  a  URL  or  Classification 

•  Dispute  a  Detection 


Feedback 


Figure  4.  The  McAfee  Threat  Center. 


Education  is  another  key  piece  of  expanding  awareness  and  understanding  of  cyberthreats.  To 
gain  depth  in  understanding  malware,  there  are  classes  to  explore  the  network  delivery  methods 
and  the  behavior  of  infected  computers.  The  study  of  malicious  network  traffic  involves  first 
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determining  if  there  has  been  abnormal  network  behavior,  then  working  to  isolate  any  malware 


transmitted  over  the  network.  Another  area  to  study  to  increase  fluency  in  cyberthreats  is  basic 
malware  analysis,  where  qualities  of  different  types  of  malicious  software  and  how  it  affects  an 
infected  computer’s  files  and  registry,  and  the  network  and  process  activity  is  explored. 

Conclusions 

Users  are  always  the  first  line  of  in  defending  against  cybersecurity  threats,  and  not  enough  can 
be  said  about  continuing  education,  and  an  organization  that  takes  security  seriously.  By 
classifying  and  characterizing  malware  by  type(s),  security  professionals  can  more  easily 
describe  specific  behaviors  and  determine  effective  methods  to  defeat  the  threat. 

Every  threat  that  has  ever  been  conceived  is  still  out  there.  It  can  be  slightly  changed  to  create  a 
new  signature,  or  combined  with  other  threats  for  more  complex  attacks.  Worse,  the  malware  is 
available  in  kits,  similar  to  the  ones  software  developers  use,  putting  them  in  the  hands  of  anyone 
with  a  desire  to  attack  or  experiment. 

Malware  can  be  identified  by  anti-virus  (AV)  tools  only  if  it  is  a  known  form,  and  its  signature 
exists  in  the  AV  databases.  AV  cannot  detect  zero-day  threats,  which  are  those  previous 
unknown  exploits  of  vulnerabilities;  since  they  are  unknown,  no  counter  to  them  exists. 
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Motivation 

How  malware  affects  a  system 

Top  Ten  (Simple  to  complex) 

-  Brief  description 

-  Explain  impacts 

-  Main  takeaways 

-  Relevance  to  Command  and  Control 

Increase  awareness  of  cybersecurity  threats 
and  vulnerabilities 


Conclusion 


Motivation 


Connected  computers  are  vulnerable 

-  Direct  attacks 

-  Automated  attacks 

Several  key  concepts  emerge 

Bridge  language  and  topics  of  malware 
from  academia  to  operational  community 


How  Malware  Affects  a  System 


•  Look  at  FROP 

-  Files 

-  Registry 

-  Open  Ports 

-  Processes 

•  Add,  delete,  modify 


J 


How  to  analyze: 

Snapshot 

Compare  after  infection,  restart 


complexity 


Top  Ten 


Via 


A  N  R  C 


Virus 


Define: 

-  Part  of  Program 

-  Manual  Propagation  (also  macros) 

Impact: 

-  Disruption  or  destruction 

Takeaway: 

-  AV  Scan  incoming  e-mail  and  documents 

-  Do  not  click  on  links 


Virus:  Relevance  to  C2 


A  N  R  C 


Malware  that  disrupts  C2  can  be  downloaded  as  a 
virus  attachment  in  an  e-mail 


Worm 


Define: 

-  Propagates  automatically 

-  Consumes  resources 

Impact: 

-  Any  networked  computer  is  vulnerable 

Takeaway: 

-  Control  propagation 

-  Harden  shared  drives  with  password  protection 


Worm:  Relevance  to  C2 


Lose  bandwidth  in  a  communications 
channel 

Lose  processor  cycles  on  a  key  computer 
in  a  network 

(e.g.  an  air  operations  center] 


Phishing 


Define: 

-  Phishing,  spear  phishing,  whaling 

Impact: 

-  Easier  than  breaking  into  a  system 

-  Can  target  based  on  social  media  participation 

Takeaway: 

-  Don’t  click  on  links  in  e-mails 

-  Don’t  open  e-mails  from  people  you  don’t  know 


Phishing:  Relevance  to  C2 

•  Social  engineering  can  be  used 

•  E-mails  to  key  personnel 


Trojan 


Define: 

-  Package  something  undesirable  together  with 
something  desirable 

Impact: 

-  Legitimate  software  delivers  something  extra 

Takeaway: 

-  Can  be  easily  constructed  (iExpress) 

-  Check  published  Md5  hashes 

-  Install:  backdoor,  hot,  admin  tools 


Trojan:  Relevance  to  C2 


Delivery  mechanism  for  malicious  code  that 
can  disrupt  and  delay  C2  channels 


Backdoors 


Define:  Enter  computer  system  not  in  a 
normal  manner 

Impact: 

-  Trojan  can  open  a  port  and  install  reverse  shell 

-  New  user  added  with  trusted  connection 

-  Easter  egg:  programmer  adds  code  to  allow 
special  privileges 

Takeaway: 

-  Start  with  your  own  source  code  and  compile 


Backdoors:  Relevance  to  C2 


•  Intruder  can  access,  modify,  or  delete 
critical  configuration  information  in  a  C2 
node 


Bots 


Define: 

-  Individual  machines  called  zombies 

-  Part  of  a  C2  structure 

-  Distributed  processing 

•  Distributed  Denial  of  Service  (DDoS) 

•  Password  cracking 

-  Financial  gain 

Impact: 

-  Bots  call  home  for  C2 

-  Can  download  file(s)  to  execute 

-  Coordinate  with  other  bots 

-  61.5%  of  traffic  on  the  Internet  in  2013 


Bots  (continued) 

Takeaway: 

-  Different  actions  at  different  times  because 
of  bot  leasing 

-  Bots  are  noisy  on  a  network 


Bots:  Relevance  to  C2 

A  radio  with  limited  bandwidth  used  in 
an  amphibious  assault 

-  Beaconing 

-  Covert  exfiltration  of  critical  information 


Admin  Tools 


Define: 

-  Legitimate  opening  of  a  port  for  access 

-  Installing  server 

Impact: 

-  Whole  frameworks  are  available 

Takeaway: 

-  Remote  trouble  shooting  leaves  an  open  door 

-  Remote  user  can  add,  delete,  modify: 

•  Files,  processes,  registry,  network 

-  Need  to  check  indicators  against  a  baseline  of 
normal  activity 


Admin  Tools:  Relevance  to  C2 


•  Full  control  to  add,  delete  and  modify 
anything  on  a  computer 

•  Allow  remote  access  to  video  feeds 

•  An  intruder  is  present  in  the  room  or  on  the 
computer  to  observe  actions  or  intentions 

•  Could  be  installed  via  Trojan  horse  vector 


Network  Diagnostic  Tools 

Define: 

-  Used  by  system  administrator  inside  network 

-  Checklist  for  vulnerabilities 

-  NMAP 

Impact: 

-  Used  in  conjunction  with  other  malware 

-  Once  inside  network 
•  Can  get  a  full  map  of  internal  network 

Takeaway: 

-  Many  tools  used  for  good  or  evil 

-  Use  IDS  to  see  if  unauthorized  scanning  activity 


Network  Diagnostic  Tools: 
Relevance  to  C2 

•  Network  tools  scan  for  vulnerabilities 

•  Provide  a  blueprint  for  a  successful  attack 
on  the  computers  in  a  network 


Rootk  its 


Define: 

-  Hide  files,  processes,  registry  keys  and  open 
ports 

Impact: 

-  Interfere  with  operating  system  reporting  of 
processes,  file  system  contents 

-  You  don’t  know  what  you  don’t  know 

Takeaway: 

-  Cannot  trust  normal  tools 

-  Do  not  use  unsigned  drivers 

-  Kernel  mode:  May  need  to  reload  system 


Rootkits:  Relevance  to  C2 


•  A  rootkit  on  a  node  allows  any  or  all  of  the 
above  types  of  malware  to  operate  covertly 

•  Cannot  see  the  process  or  file 

•  Need  special  tools  to  diagnose 


Advanced  Persistent  Threat 


•  Define: 

-  Combination  of  all  of  the  above 

-  Being  used  by  trained,  persistent  people 

-  Funded  by  governments,  criminals 

•  Impact: 

-  Target  a  specific  organization,  for  a  specific  goal 

-  You  may  be  the  target 

•  Takeaway: 

-  Be  frightened:  it’s  real 


Advanced  Persistent  Threat  ^"Rt 
Relevance  to  C2 

•  Major  offensive  effort 

•  May  have  to  accept  that  dedicated  attackers 
will  get  into  C2  nodes 

-  Accept  that  they  will  enter  a  system 

-  Reduce  how  long  they  are  in  a  system 

-  Noisier  to  get  out  than  in 

-  Deny  them  outgoing  communications 


Increasing  Cyberthreat  Awareness 

•  Learn  about  current  threats 

•  Learn  about  a  specific  virus  /  malware 

•  Use  trusted  databases: 

-  Malware’s  characteristics 

-  Method  of  infection 

-  Removal 

-  Variants 

-  Area  of  the  world  where  the  malware  is 
currently  proliferating 
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government  repository  of 
standards  based 
vulnerability  management 
data.  This  data  enables 
automation  of 
vulnerability 
management,  security 
measurement,  and 
compliance  (e.g.  FISMA). 


NVD  is  the  U.S.  government  repository  of  standards  based  vulnerability  management  data  represented  using  the  Security  Content  Automation  Protocol  (SCAP).  This  data 
enables  automation  of  vulnerability  management,  security  measurement,  and  compliance.  NVD  includes  databases  of  security  checklists,  security  related  software  flaws, 
misconfigurations,  product  names,  and  impact  metrics. 

Federal  Desktop  Core  Configuration  settings  (FDCC) 

NVD  contains  content  (and  pointers  to  tools)  for  performing  configuration  checking  of  systems  implementing  the  FDCC  using  the  Security  Content  Automation  Protocol  (SCAP). 
FDCC  Checklists  are  available  here  (to  be  used  with  SCAP  FDCC  capable  tools). 

SCAP  FDCC  Capable  Tools  are  available  here. 


Resource  Status 


NVD  Primary  Resources 


NVD  contains: 

60348  CVE  Vulnerabilities 
227  Checklists 
248  US-CERT  Alerts 
2818  US-CERT  Vuln  Notes 
10286  OVAL  Queries 
83734  CPE  Names 

Last  updated:  2/4/2014 
CVE  Publication  rate:  19.2 


Email  List 


•  Vulnerability  Search  Engine  (CVE  software  flaws  and  CCE  misconfigurations) 

•  National  Checklist  Program  (automatable  security  configuration  guidance  in  XCCDF  and  OVAL) 

•  SCAP  (program  and  protocol  that  NVD  supports) 

•  SCAP  Compatible  Tools 

•  SCAP  Data  Feeds  (CVE,  CCE,  CPE,  CVSS,  XCCDF,  OVAL) 

•  Product  Dictionary  (CPE) 

•  Impact  Metrics  (CVSS) 

•  Common  Weakness  Enumeration  (CWE) 


NVD/ SCAP  Recent  Activity: 

•  October  3rd  -  5th,  2012:  8th  Annual  IT  Security  Automation  Conference 

•  October  31st  -  November  2nd,  2011:  7th  Annual  IT  Security  Automation  Conference 

•  August  29th  -  30th,  2011:  EMAP  Developer  Workshop 

•  September  27th  -  29th,  2010:  6th  Annual  IT  Security  Automation  Conference 


Security  Focus  Homepage 


Vulnerabilities 


Oracle  MySQL  Server  CVE-2014-0431  Remote  Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64897 

Mozilla  Firefox/Thunderbird/SeaMonkey  CVE-2014-1478  Multiple 
Memory  Corruption  Vulnerabilities 

2014-02-05 

http://www.securityfocus.com/bid/65324 

Mozilla  Firefox/Thunderbird/SeaMonkey  CVE-2014-1477  Multiple 
Memory  Corruption  Vulnerabilities 

2014-02-05 

http :  // w  w  w .  s  ecu  rityf ocu  s  .co  m/b  i  d/65317 

ImpressCMS  Arbitrary  File  Access  And  Multiple  Cross  Site  Scripting 
Vulnerabilities 

2014-02-05 

http://www.securityfocus.com/bid/65279 

Oracle  MySQL  Server  CVE-2013-5894  Remote  Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64873 


Oracle  MySQL  Server  CVE-2014-0427  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64868 

Oracle  MySQL  Server  CVE-2013-5881  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64885 

Oracle  MySQL  Server  CVE-2014-0386  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64904 

Oracle  MySQL  Server  CVE-2014-0433  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64895 

Oracle  MySQL  Server  CVE-2014-0402  Remote 
Security  Vulnerability 

2014-02-05 

http://www.securityfocus.com/bid/64908 


McAfee  Threat  Center 
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Breaking  Advisory 

January  14,  2014:  As  announced,  Microsoft  has  released  their  January  Security  Bulletins.  A  total  of  4  bulletins  have  been  released.  Affected  software  includes 
Microsoft  Windows,  Office,  and  Server  Software.  1  of  the  bulletins  is  rated  as  'Important'  and  carries  a  potential  impact  of  remote  code  execution.  Learn 
More  Q 


Threat  Center 


McAfee  Labs  2014 
Predictions  Report 

Download  Report  ♦ 


Search  the  Threat  Library 
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2014  US  State  of  Cybercrime  Survey 


•  Co-sponsored  by  PwC,  CSO  magazine,  the  CERT® 
Division  of  the  Software  Engineering  Institute  at 
Carnegie  Mellon  University,  and  the  United  States 
Secret  Service 

•  The  most  frequent  types  of  incidents: 

-  Malware 

-  Phishing 

-  Network  interruption 

-  Spyware 

-  Denial  of  service  attacks 

Cyberadversaries  use  sophisticated  targeting 
techniques 

-  Criminals, 

-  Nation-states 


Education 


About  Threats 

Behavior  of  infected  computers 

-  Investigate  qualities  of  different  types  of 
malicious  software 

-  Changes  to  infected  computer’s  files  and 
registry,  and  the  network  and  process  activity 

Malicious  Network  Traffic  Analysis 

-  Explore  the  network  delivery  methods 

-  Determine  if  there  has  been  abnormal  network 
behavior 

-  Isolate  any  malware  transmitted  over  the 
network 


Conclusions 


Every  threat  is  still  out  there 

-  Slightly  changed  to  create  a  new  signature 

-  Combined  threats  for  more  complex  attacks 

-  Malware  is  available  in  kits 

Firewalls,  and  defense-in-depth 
Keep  AV  up-to-date 

-  Only  identifies  known  signatures 

-  Cannot  detect  zero-day  threats 

Keep  users  up-to-date 

-  Understanding  "normal”  processes  and  traffic 

Education  is  the  key  to  meet  the  threat 


Thank  You! 


Questions? 


To  learn  more: 

www.anrc-services.com 


mac@anrc-services.com 


